PCI: Merchants Still Fall Short
Verizon: Lax Card Security Will Lead to More Breaches
Verizon's updated Payment Card Industry Compliance Report shows organizations still face issues such as resource and budget availability when trying to meet compliance with the PCI Data Security Standard, Mack says.
More than 100 organizations participated in the study, ranging from Fortune 50 to small businesses. In the study, Verizon notes that businesses may be suffering from a level of security complacency. "Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business," Mack says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
In working toward compliance, Mack feels that a compliance and management program will help. And the focus of an organization shouldn't just be about achieving compliance, but maintaining a level of security that will assist in the long run.
During this interview, Mack discusses:
- The roles card-issuing and sponsoring financial institutions can play in helping their merchant customers and members attain and maintain PCI compliance;
- Why a majority of merchants seem complacent when it comes to PCI compliance;
- Why the risk of ongoing and increasing breaches of cardholder data should be a concern for the payments industry.
Mack oversees Verizon's Global Payment Card Industry Practice as well as development of solutions for acquiring banks and merchants, and other industry verticals. She also is one of the key contributors to the Verizon PCI Compliance Report series. Before joining Verizon, Mack served as the vice president for fraud management solutions at MasterCard Worldwide, where she created the company's first PCI education program to increase adoption of the PCI Data Security Standard. While working at MasterCard, she developed the initial draft of the PCI DSS Prioritized Approach, which launched in 2009 to help organizations identify and reduce risk to cardholder data. She also chaired the PCI Security Standards Council Marketing Working Group, where she created and drove marketing plans related to the council's goals and objectives. Mack led the PCI and Partner Security Program practices at Cybertrust, which was acquired by Verizon in 2007, before joining MasterCard in 2009.
Small Businesses and ComplianceTRACY KITTEN: For the second consecutive year, Verizon has found that many small businesses, despite their acceptance of credit and debit payments, continue to fall short when it comes to compliance with the PCI Data Security Standard. That seems rather shocking given the fact that the standard has been around for nearly a decade. Can you tell us why you think so many small businesses are having a hard time achieving and maintaining PCI compliance?
JEN MACK: The Data Security Standard has been out for just six years now at this point, and I think initially folks had a difficult time achieving compliance because they were trying to understand what the scope of the standard was and what the intent of the requirements, etc. are. But over the last few years, we have seen many organizations be successful in achieving compliance. Now it's really moved towards the struggle to maintain. Many I think have not accepted or moved towards a programmatic approach, so it's really difficult to keep and maintain all of those 250 requirements in place throughout the year.
KITTEN: Verizon's new report includes information about businesses in the U.S., Europe, as well as Asia. Can you provide any market insights or differentiation among the markets when it comes to PCI compliance? What unique challenges or struggles does each of these markets face?
MACK: Just looking at that question from a high-level perspective, I think many of these organizations, regardless of where they're located, face similar struggles such as resource and budget availability and the timing to meet compliance. ... Europe is really starting to do a much better job at this and there are some specific countries even that are doing fairly well, such as Germany, the U.K. and France as well. Those regions are doing very well. You've got those countries within those regions that are doing well, but you've got other regions such as LAC [Latin America and the Caribbean] and APAC [Asia-Pacific] that are still lagging behind, and sometimes that's a lack of QSA resources available in those regions or it's a lack of understanding of what's needed, or even just it's general enforcement - the banks in those regions are not as stringent if you will.
Year-to-Year ComparisonKITTEN: When looking at the comparative year-to-year data, what stood out the most to you?
MACK: When we just look at everything, comparing the requirements from last year to this year, we're looking at how many organizations were compliant at the time of the IROC [Initial Report on Compliance]. It all looks fairly similar to last year's report. We don't see a lot of change, but when we lay over that data and we look at it from the prioritized approach perspective, which is the milestone approach, really all the sub-requirements in milestone one reduced the greatest amount of risk, milestone two etc. The more you have in place in the earlier milestones, the more risk that you're taking care of if you will. If we're looking at the requirements laid out in that matter, as far as what was in place and not in place at the time of the IROC, from that perspective you can really discern the amount of risk that's outstanding. We actually saw just in milestone one a ten-percent drop. It went from 88 percent to 78 percent, those sub-requirements, in place around milestone one at the time of the IROC. And considering that's the area that has the requirements that are supposed to reduce the most amount of risk, it's kind of concerning to me to see a negative drop as much as ten percent in that area. The Data Security Standard is all about protecting card holder data, so I would like to see more improvement in that basically.
KITTEN: One of the things that stood out to me actually was that Verizon notes that only 21 percent of organizations that Verizon assessed were compliant during their initial audits, a reality that Verizon says is actually very disappointing. Can you tell us a bit about the 21 percent that were compliant?
MACK: Definitely and we're so happy to see there are a lot of organizations like this out there, whether they're our clients or other QSA clients. These are the organizations who have taken the initiative to do everything they can to get this set of requirements integrated into their daily business processes versus looking at this as a one-off project. When you're talking to the people within the organization, regardless of what function they have, they've got the right level of awareness about what the Data Security Standard is, or they're aware of what the data flows are and where the data is, and they are prepared for the assessment. They're maintaining compliance throughout the year. It's just a higher level of awareness of understanding within these organizations as well as the approach of "let's not look at this as a one-off project." Let's just get this into our daily business.
KITTEN: That's such a good point. I guess I would like to get some perspective there because we do talk so often about organizations just reaching compliance and then they don't do anything else. They don't want to do those regular types of assessments. I wanted to get a feel for how many organizations did Verizon actually assess for this report and what's the annual revenue range for these businesses. Was the same number of businesses assessed in 2010? Can you give us some idea there?
MACK: In this year's study we had a little over 100 organizations included in this. They range anywhere from Fortune 50, Fortune 100, global companies, all the way down to small, medium business organizations looking for assistance to do a GAP assessment and to say, "Look, this is our first year doing this, or this is our second and we need some guidance on where to start. Or is this the right scope? We want to make sure we are looking at the right environment." It's ranging the gamut there. Last year's report covered a little over 200 reports and that was over two-year periods from 2008 to 2009.
Security ComplacencyKITTEN: Verizon notes that many small businesses seem to be suffering from a level of security complacency, despite the fact that they face steep and even severe fines for non-compliance with the PCI-DSS. Can you explain why there's this apathy in the market?
MACK: I would say that this isn't just a small business situation. This is in every organization at all levels, whether you're Fortune 1 or you're Joe's Pizza. I think again it goes back to how they view this activity. Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business. I think if business is done, it's pretty certain that PCI compliance as well as compliance with other standards will just naturally occur as a result.
KITTEN: Lack of PCI compliance continues to be linked to data breaches and, as the report data proves, organizations are more likely to suffer from identity theft and fraud issues when compliance is not met. Are there certain industries or vertical markets that stand out where non-compliance with the PCI-DSS is concerned?
MACK: We usually have two frontrunners that are tying for first place year-over-year and that's retail and the financial verticals.
The Role of Financial InstitutionsKITTEN: What roles do card-issuing or sponsoring financial institutions play when it comes to assisting retailers or merchants? And of course I will use that term loosely because I know that we also might have some entities that touch the healthcare space for instance that could fall under that category. What work should these institutions be doing to help these merchants that they work with achieve PCI compliance?
MACK: That's a really great question. I think these card-issuing financial institutions, they're the bodies if you will that the actions and the activities that they undertake are with their merchant portfolios - that's what's going to move the compliance needle in the right direction. They need to educate their merchant portfolio about what PCI is. They need to set expectations. What's expected of them? What are the reporting guidelines? What activities do they have to undertake? And again the education layers onto that, so what do they need to do? What's this all about? Then there's the enforcement, so it's not enough to just talk about it and say that you need to do it. You need to enforce this with the merchant portfolio. You need to make sure that they're reporting on the quarterly annual basis as they're required. And they need to be a partner for them when it comes to working with compensating controls or working on extending compliance design because of business reasons or whatever the case may be, so working with the card brand to help avoid fines, to be a partner to them in the end as well. I think education, expectation setting and enforcement are the three key areas that they need to focus on.
KITTEN: That's a great point. I actually want to go back to something that you said earlier, and that's when you take a step back and look at the different verticals that often suffer from non-compliance with the PCI-DSS, financial services actually falls into that category. Are institutions themselves maybe suffering from some level of apathy? Or maybe we're using financial services broadly and that includes entities that wouldn't necessarily be banks or credit unions.
MACK: It's not necessarily the banks or credit unions, but I would say that the banks themselves, whether they're acquiring or issuing, they've got their own unique set of challenges. In fact, the council has actually provided a subset of requirements specifically for issuing banks because they understand they have these unique challenges. I work with so many banks and have talked to even more throughout my years in educating in these areas and there a lot of folks at the banks that take this very seriously, for their merchant portfolio as well as for themselves. They have got entire task forces and teams working on this, because ... it's not just their existing environment; they're looking ahead to their strategy and what other payment types of solutions do we want to provide our merchant base. How can we help our merchants become compliant, and more easily what services can we provide them? They've got to look at how they're not only looking at their existing environment, [but how] they're looking to the future. I think a lot of banks are on the right track and they're doing the right thing. I think ... some of them maybe need to do some more education and expectation setting. And again, continue to be a partner.
KITTEN: Verizon found - this was something that I thought was interesting and this is a little bit more specific - that many organizations struggle the most with requirements that related to the protection of the storage of cardholder data, which of course that has been issue for quite some time. But in addition to the storage of cardholder data, Verizon also noted track-and-monitor access, regular tests and assessments of systems, as well as the maintenance of security policies. What recommendations does Verizon offer to help organizations overcome the struggles they face in those particular areas?
MACK: That's a really good question. We actually polled our QSAs globally around recommendations this year and we got, I think, a really robust set in the report that will be beneficial to a lot of organizations. ... Not to sound like a broken record, but the key to maintaining compliance is a compliance and management program. They've got a compliance management program in place and they are looking at this, not just from achieving compliance but maintaining a good security posture, then it's going to assist them in delegating and structuring all these tasks that are required of the DSS over an achievable period versus this mad dash for the finish line before the QSA shows up.
These are areas that have strong correlations to data breaches ... storage of card holder data, track-and-monitor access, regularly testing the system. Strong correlation to data breaches though, they should be extra vigilant here and not just on a quarterly basis, [but] daily log reviews, doing the vulnerability scanning, doing the patching, running data discovery tools, those kinds of things. They should be extra vigilant and those are a lot of the requirements that are in milestone of the prioritized approach, where we saw that ten-percent drop.
More Breaches?KITTEN: Do you think that the payment's industry can expect to see more breaches in 2011 and 2012 as a result of this non-compliance?
MACK: That's a tough call, but I think that if they continue to fall in and out of compliance throughout the year, then they're just going to continue to remain targets for hackers, whether it's a successful breach or not, or they're breached, whether they successfully achieve obtaining payment card data. The DSS is all about layers of protection if you will. So even if they're able to breach the entities, the perimeter, has the data been rendered unreadable? There are multiple ways that we can stop this influx of payment card breaches, but do I think we're going to see more breaches? Honestly, it's a very real possibility unless these organizations really kind of get serious about implementing a programmatic approach and getting this integrated into their day-to-day business.
KITTEN: Malware and hacking are noted as the most predominant methods used to gain access to card holder data, and several overlapping PCI requirements are aimed at protecting against these types of attacks, but organizations are not following the requirements. When it comes to online security, where do you see the greatest challenges or areas in need of improvement?
MACK: I would specifically point to requirements 11, which is vulnerability scanning and penetration testing. Those are the biggest areas in that. Then also, secure coding practices, requirement six. We're talking about web-based applications. We need to ensure that the applications are deterring account harvesting, that input-validation controls exist to not allow for sequel injections, and there are multiple ways that organizations can achieve these. They can use vulnerability assessment tools or they can use an application-layer firewall. Online security requirements 11 and six are probably two of the areas that they need to be very vigilant in. Obviously, to be PCI compliant you have to meet all DSS requirements, but for online folks they should be extra vigilant here.
KITTEN: Before we close, what final thoughts would you like to leave our audience with generally as they relate to the recent findings included in this Verizon report?
MACK: I'm going to go back to my mantra: please, please work hard to implement PCI as a program versus a one-off project. I think you will see what we've seen for a lot of successful organizations, that time, money and resources will be reduced greatly. We've seen it as much as a 30-percent reduction in lots of resources and money over the course of the year if they put in a programmatic approach. That would be my biggest recommendation.